Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2017-10356, CVE-2017-10345)

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 6, 7, and 8, which are used by IBM Rational ClearCase. These issues were disclosed as part of the IBM Java SDK updates in October 2017.

Vulnerability Details

CVEID: CVE-2017-10356 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133785 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-10345 DESCRIPTION: An unspecified vulnerability related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133774 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Rational ClearCase version 8 and 9 in the following components:

• CCRC WAN server/CM Server component, when configured to use SSL
• ClearCase remote client: CCRC/CTE GUI, rcleartool, and CMAPI clients

ClearCase version

|

Status

—|—

9.0.1 through 9.0.1.2

|

Affected

9.0 through 9.0.0.6

|

Affected

8.0 through 8.0.0.21 | Affected
8.0.1 through 8.0.1.17 | Affected

Remediation/Fixes

The solution is to install a fix that includes an updated Java™ Virtual Machine with fixes for the issues, and to apply fixes for WebSphere Application Server (WAS).

CCRC Client fixes

• Apply the relevant fixes as listed in the table below.

Affected Versions

|

Applying the fix

—|—

9.0.1 through 9.0.1.2
9.0 through 9.0.0.6

| Install Rational ClearCase Fix Pack 3 (9.0.1.3) for 9.0.1

8.0.1 through 8.0.1.17
8.0 through 8.0.0.21

| Install Rational ClearCase Fix Pack 18 (8.0.1.18) for 8.0.1
For 7.0, 7.1, 8.0, and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Notes:
* If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), or you use rcleartool or CMAPI using a Java™ Virtual Machine not supplied by IBM as part of Rational ClearCase, you should update the Java™ Virtual Machine that you use to include a fix for the above issues. Contact the supplier of your Java™ Virtual Machine and/or the supplier of your Eclipse shell.

CCRC WAN server fixes

Affected Versions

|

Applying the fix

—|—
9.0.0.x
9.0.1.x
8.0.1.x
8.0.0.x | Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary.

• 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\versionInfo.bat `(Windows). The output includes a section "IBM WebSphere Application Server". Make note of the version listed in this section.
  

  2. Review the following WAS security bulletin:

Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server October 2017 CPU

and apply the latest available fix for the version of WAS used for CCRC WAN server.
* **Note:**there may be newer security fixes for WebSphere Application Server. Follow the link below (in the section "